Remove From My Forums

Where-Object breaks script

Question
0

Sign in to vote
I need to pull a list of accounts from a single OU that have 2 specific values in 2 attributes, these accounts also need to have not reset their passwords in a number of days.

I can run part of my script and get the accounts without password reset in the given number of days, but as soon as I add a condition looking for either of the attribute values it returns 0 results, even though I know there are thousands of them

The code I am trying is

$PasswordAge = 30 $time = (Get-Date).Adddays(-($PasswordAge)) Get-ADUser -ResultpageSize 20000 -Filter {pwdLastSet -lt $time} -SearchBase "ou=MYOU,dc=domain,dc=com" | Where-Object {$_.customattribute -contains 'Value'} | Where-Object {$_.memberof -contains 'CN=Group Name,OU=Security Groups (Mail Enabled),DC=domain,DC=com'} Select-Object sAMAccountName | ConvertTo-Csv -NoTypeInformation | Select-Object -Skip 1 | Set-Content -Path "c:\users\test.csv"

So this should give me all accounts in MYOU with a password reset date of 30 days or more in the past with the given values in customattribute and memberof. The results should be saved to a csv on my C drive with the column headercremoved and only the saMAccountName attribute should be listed.

If I run just

$PasswordAge = 30 $time = (Get-Date).Adddays(-($PasswordAge)) Get-ADUser -ResultpageSize 20000 -Filter {pwdLastSet -lt $time} -SearchBase "ou=MYOU,dc=domain,dc=com" | Select-Object sAMAccountName |

I get all the sAMAccountName values for users in the OU with no password reset in 30 days or more scrolling down the screen, if I add the code to export to csv I get the same results saved to the csv file

What am I doing wrong?
- Edited by GADavies Wednesday, June 24, 2020 4:28 PM correction
Wednesday, June 24, 2020 3:56 PM

Answers

1

Sign in to vote
Also, you have to ask for the extra attributes, or they won't be there.

get-aduser js -property memberof,customattribute
- Edited by JS2010 Wednesday, June 24, 2020 5:56 PM
- Marked as answer by GADavies Wednesday, June 24, 2020 6:21 PM
Wednesday, June 24, 2020 5:56 PM

All replies

1

Sign in to vote
Is there a pipe symbol before select-object? Pwdlastset is in the filetime format, not the datetime format. We don't know what customattribute is, but -contains only works with complete array elements, not substrings.
- Edited by JS2010 Wednesday, June 24, 2020 5:03 PM
Wednesday, June 24, 2020 4:58 PM
0

Sign in to vote

In the code I'm using there is, I edited to remove the actual OU etc. and deleted the pipe accidentally. Thing is, even if this is removed I get zero results, the where-object conditions are what breaks this

Wednesday, June 24, 2020 5:09 PM
0

Sign in to vote
Does it work with just the memberof where-object? $time should be:

$time = $time.ToFileTime()
- Edited by JS2010 Wednesday, June 24, 2020 5:15 PM
Wednesday, June 24, 2020 5:15 PM

Adding ANY where-object means I get zero results.

Running

$PasswordAge = 30
$time = (Get-Date).Adddays(-($PasswordAge))
Get-ADUser -ResultpageSize 20000 -Filter {pwdLastSet -lt $time} -SearchBase "ou=MYOU,dc=domain,dc=com"

gives me default attributes for ALL accounts in the OU with no password reset in the last 30 days. Running

$PasswordAge = 30
$time = (Get-Date).Adddays(-($PasswordAge))
Get-ADUser -ResultpageSize 20000 -Filter {pwdLastSet -lt $time} -SearchBase "ou=MYOU,dc=domain,dc=com" | Select-Object sAMAccountName

Gives me just sAMAccountName for all accounts in the OU with no password reset in the last 30 days. Running

$PasswordAge = 30
$time = (Get-Date).Adddays(-($PasswordAge))
Get-ADUser -ResultpageSize 20000 -Filter {pwdLastSet -lt $time} -SearchBase "ou=MYOU,dc=domain,dc=com" | Where-Object {$_.customattribute -contains 'Value'}

Gives me nothing, if I replace the where-object code with any other where-object condition I get no results.

Adding the where-object condition or conditions means I get no results

Wednesday, June 24, 2020 5:30 PM

1

Sign in to vote
Some people get confused about what -contains does. It has to match the whole array element, not part of an element. Without knowing the exact code, we can only guess.

'hi','there' -contains 'hi'
True

'hi','there' -contains 'h'
False
- Edited by JS2010 Wednesday, June 24, 2020 5:38 PM
Wednesday, June 24, 2020 5:37 PM
0

Sign in to vote
I am aware of this, I am using the full value I need to filter by, so the member of where-object uses the FQDN of the group, the customattriute where-object is using the full value.

Both attributes I am trying to filter on are multi value attributes, I need to find accounts with specific values in each of these attributes. I have used this in other scripts and got what I needed, for some reason using the same code here fails.
- Edited by GADavies Wednesday, June 24, 2020 5:53 PM spelling correction
Wednesday, June 24, 2020 5:43 PM
1

Sign in to vote
Also, you have to ask for the extra attributes, or they won't be there.

get-aduser js -property memberof,customattribute
- Edited by JS2010 Wednesday, June 24, 2020 5:56 PM
- Marked as answer by GADavies Wednesday, June 24, 2020 6:21 PM
Wednesday, June 24, 2020 5:56 PM
0

Sign in to vote
$time test. Maybe it works.

get-aduser -filter {pwdlastset -lt $time} -ResultSetSize 5 -property pwdlastset |
% { [datetime]::fromfiletime($_.pwdlastset) }

Sunday, December 31, 1600 7:00:00 PM
Tuesday, November 24, 2015 12:19:24 PM
Tuesday, May 23, 2017 4:36:18 PM
Tuesday, January 12, 2016 3:13:14 PM
Monday, January 8, 2018 10:12:23 AM
- Edited by JS2010 Wednesday, June 24, 2020 6:21 PM
Wednesday, June 24, 2020 6:11 PM
0

Sign in to vote

that fixed it, thanks

Wednesday, June 24, 2020 6:21 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Where-Object breaks script

Question

Answers

All replies